GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 03:14:59 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
77cee2806c8639113cc6677f33fee41470a1fe1f
outline/server/routes/api/groups/groups.test.ts
T
Tom Moor 77cee2806c chore: getJWTToken -> getSessionToken (#12371) 
* getJWTToken -> getSessionToken

Ensure expiry is included in payload

* Refactor test harness to avoid direct usage of getSessionToken
2026-05-17 16:58:52 -04:00

879 lines
24 KiB
TypeScript
Raw Blame History

import type { Group, User } from "@server/models";
import { AuthenticationProvider, Event, ExternalGroup } from "@server/models";
import {
buildUser,
buildAdmin,
buildGroup,
buildGroupUser,
} from "@server/test/factories";
import { getTestServer } from "@server/test/support";
import { GroupPermission } from "@shared/types";
const server = getTestServer();
describe("#groups.create", () => {
it("should create a group", async () => {
const name = "hello I am a group";
const user = await buildAdmin();
const res = await server.post("/api/groups.create", user, {
body: {
name,
externalId: "123",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toEqual(name);
expect(body.data.externalId).toEqual("123");
});
});
describe("#groups.update", () => {
it("should require authentication", async () => {
const group = await buildGroup();
const res = await server.post("/api/groups.update", {
body: {
id: group.id,
name: "Test",
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: "Test",
},
});
expect(res.status).toEqual(403);
});
it("should require authorization", async () => {
const group = await buildGroup();
const user = await buildAdmin();
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: "Test",
},
});
expect(res.status).toEqual(403);
});
describe("when user is admin", () => {
let user: User, group: Group;
beforeEach(async () => {
user = await buildAdmin();
group = await buildGroup({
teamId: user.teamId,
});
});
it("allows admin to edit a group", async () => {
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: "Test",
externalId: "123",
},
});
const events = await Event.findAll({
where: {
name: "groups.update",
teamId: user.teamId,
},
});
expect(events.length).toEqual(1);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe("Test");
expect(body.data.externalId).toBe("123");
});
});
describe("when user is group admin", () => {
let user: User, group: Group;
beforeEach(async () => {
user = await buildUser();
group = await buildGroup({
teamId: user.teamId,
});
// Make the user a group admin
const admin = await buildAdmin({
teamId: user.teamId,
});
await server.post("/api/groups.add_user", admin, {
body: {
id: group.id,
userId: user.id,
permission: "admin",
},
});
});
it("allows group admin to edit a group", async () => {
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: "Test by Group Admin",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe("Test by Group Admin");
});
});
describe("when checking for noop updates", () => {
let user: User, group: Group;
beforeEach(async () => {
user = await buildAdmin();
group = await buildGroup({
teamId: user.teamId,
});
});
it("does not create an event if the update is a noop", async () => {
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: group.name,
},
});
const events = await Event.findAll({
where: {
name: "groups.update",
teamId: user.teamId,
},
});
expect(events.length).toEqual(0);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe(group.name);
});
it("fails with validation error when name already taken", async () => {
await buildGroup({
teamId: user.teamId,
name: "test",
});
const res = await server.post("/api/groups.update", user, {
body: {
id: group.id,
name: "TEST",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body).toMatchSnapshot();
});
});
});
describe("#groups.list", () => {
it("should require authentication", async () => {
const res = await server.post("/api/groups.list");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should return groups with memberships preloaded", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.pagination.total).toEqual(1);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
expect(body.data.groupMemberships.length).toEqual(1);
expect(body.data.groupMemberships[0].groupId).toEqual(group.id);
expect(body.data.groupMemberships[0].user.id).toEqual(user.id);
expect(body.policies.length).toEqual(1);
expect(body.policies[0].abilities.read).toBeTruthy();
});
it("should return groups when membership user is deleted", async () => {
const me = await buildUser();
const user = await buildUser({
teamId: me.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: me.id,
},
});
await group.$add("user", me, {
through: {
createdById: me.id,
},
});
await user.destroy({ hooks: false });
const res = await server.post("/api/groups.list", me);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groups.length).toEqual(1);
expect(body.pagination.total).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
expect(body.data.groupMemberships.length).toEqual(1);
expect(body.data.groupMemberships[0].groupId).toEqual(group.id);
expect(body.data.groupMemberships[0].user.id).toEqual(me.id);
expect(body.policies.length).toEqual(1);
expect(body.policies[0].abilities.read).toBeTruthy();
});
it("should return groups only to which a given user has been added", async () => {
const user = await buildUser();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
const anotherGroup = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
await group.$add("user", anotherUser, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.list", user);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.pagination.total).toEqual(2);
expect(body.data.groups.length).toEqual(2);
expect(body.data.groups[0].id).toEqual(anotherGroup.id);
expect(body.data.groups[1].id).toEqual(group.id);
expect(body.data.groupMemberships.length).toEqual(2);
expect(body.data.groupMemberships[0].groupId).toEqual(group.id);
expect(body.data.groupMemberships[1].groupId).toEqual(group.id);
expect(
body.data.groupMemberships
.map((u: { user: { id: string } }) => u.user.id)
.includes(user.id)
).toBe(true);
expect(
body.data.groupMemberships
.map((u: { user: { id: string } }) => u.user.id)
.includes(anotherUser.id)
).toBe(true);
expect(body.policies.length).toEqual(2);
const anotherRes = await server.post("/api/groups.list", user, {
body: {
userId: user.id,
},
});
const anotherBody = await anotherRes.json();
expect(anotherRes.status).toEqual(200);
expect(anotherBody.pagination.total).toEqual(1);
expect(anotherBody.data.groups.length).toEqual(1);
expect(anotherBody.data.groups[0].id).toEqual(group.id);
expect(anotherBody.data.groupMemberships.length).toEqual(2);
expect(anotherBody.data.groupMemberships[0].groupId).toEqual(group.id);
expect(anotherBody.data.groupMemberships[1].groupId).toEqual(group.id);
expect(
anotherBody.data.groupMemberships
.map((u: { user: { id: string } }) => u.user.id)
.includes(user.id)
).toBe(true);
expect(
anotherBody.data.groupMemberships
.map((u: { user: { id: string } }) => u.user.id)
.includes(anotherUser.id)
).toBe(true);
});
it("should allow to find a group by its name", async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
await buildGroup({ teamId: user.teamId });
const res = await server.post("/api/groups.list", user, {
body: {
name: group.name,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.pagination.total).toEqual(1);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
});
it("should allow to find a group by its externalId", async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId, externalId: "123" });
await buildGroup({ teamId: user.teamId });
const res = await server.post("/api/groups.list", user, {
body: {
externalId: "123",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.pagination.total).toEqual(1);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
});
it("should return correct group total even when the limit is less than the total", async () => {
const user = await buildUser();
await buildGroup({ teamId: user.teamId });
await buildGroup({ teamId: user.teamId });
const res = await server.post("/api/groups.list", user, {
body: {
limit: 1,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.pagination.total).toEqual(2);
expect(body.data.groups.length).toEqual(1);
});
it("should not return groups from other teams when filtering by source", async () => {
const user = await buildUser();
const group = await buildGroup({ teamId: user.teamId });
const authProvider = (await AuthenticationProvider.findOne({
where: { teamId: user.teamId },
}))!;
await ExternalGroup.create({
externalId: "ext-1",
name: "Synced Group",
groupId: group.id,
authenticationProviderId: authProvider.id,
teamId: user.teamId,
});
// Create a group on a different team with an external group mapping
const otherUser = await buildUser();
const otherGroup = await buildGroup({ teamId: otherUser.teamId });
const otherAuthProvider = (await AuthenticationProvider.findOne({
where: { teamId: otherUser.teamId },
}))!;
await ExternalGroup.create({
externalId: "ext-2",
name: "Other Team Group",
groupId: otherGroup.id,
authenticationProviderId: otherAuthProvider.id,
teamId: otherUser.teamId,
});
const res = await server.post("/api/groups.list", user, {
body: {
source: authProvider.name,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groups.length).toEqual(1);
expect(body.data.groups[0].id).toEqual(group.id);
});
});
describe("#groups.info", () => {
it("should return group if admin", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.info", user, {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should return group with externalId", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
externalId: "456",
});
const res = await server.post("/api/groups.info", user, {
body: {
externalId: "456",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should return group if member", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.info", user, {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should return group if non-member, non-admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.info", user, {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.info");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post("/api/groups.info", user, {
body: {
id: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#groups.delete", () => {
it("should require authentication", async () => {
const group = await buildGroup();
const res = await server.post("/api/groups.delete", {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post("/api/groups.delete", user, {
body: {
id: group.id,
},
});
expect(res.status).toEqual(403);
});
it("should require authorization", async () => {
const group = await buildGroup();
const user = await buildAdmin();
const res = await server.post("/api/groups.delete", user, {
body: {
id: group.id,
},
});
expect(res.status).toEqual(403);
});
it("allows admin to delete a group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.delete", user, {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toEqual(true);
});
});
describe("#groups.memberships", () => {
it("should return members in a group", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.memberships", user, {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
expect(body.data.groupMemberships.length).toEqual(1);
expect(body.data.groupMemberships[0].user.id).toEqual(user.id);
});
it("should allow filtering members in group by name", async () => {
const user = await buildUser();
const user2 = await buildUser({
name: "Won't find",
});
const user3 = await buildUser({
teamId: user.teamId,
name: "Deleted",
});
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
await group.$add("user", user2, {
through: {
createdById: user.id,
},
});
await group.$add("user", user3, {
through: {
createdById: user.id,
},
});
await user3.destroy();
const res = await server.post("/api/groups.memberships", user, {
body: {
id: group.id,
query: user.name.slice(0, 3),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.memberships");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post("/api/groups.memberships", user, {
body: {
id: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#groups.add_user", () => {
it("should add user to group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.add_user", user, {
body: {
id: group.id,
userId: user.id,
},
});
const users = await group.$get("users");
expect(res.status).toEqual(200);
expect(users.length).toEqual(1);
});
it("should add user to group as admin", async () => {
const user = await buildAdmin();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.add_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
permission: GroupPermission.Admin,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groupMemberships[0].permission).toEqual(
GroupPermission.Admin
);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.add_user");
expect(res.status).toEqual(401);
});
it("should require user in team", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post("/api/groups.add_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/groups.add_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#groups.remove_user", () => {
it("should remove user from group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
await server.post("/api/groups.add_user", user, {
body: {
id: group.id,
userId: user.id,
},
});
const users = await group.$get("users");
expect(users.length).toEqual(1);
const res = await server.post("/api/groups.remove_user", user, {
body: {
id: group.id,
userId: user.id,
},
});
const users1 = await group.$get("users");
expect(res.status).toEqual(200);
expect(users1.length).toEqual(0);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.remove_user");
expect(res.status).toEqual(401);
});
it("should require user in team", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post("/api/groups.remove_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/groups.remove_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#groups.update_user", () => {
it("should update user role in group", async () => {
const user = await buildAdmin();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
await buildGroupUser({
groupId: group.id,
userId: anotherUser.id,
createdById: user.id,
});
// Then update the user to be an admin
const res = await server.post("/api/groups.update_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
permission: GroupPermission.Admin,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.groupMemberships[0].permission).toEqual(
GroupPermission.Admin
);
// Update the user to not be an admin
const res2 = await server.post("/api/groups.update_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
permission: "member",
},
});
const body2 = await res2.json();
expect(res2.status).toEqual(200);
expect(body2.data.groupMemberships[0].permission).toEqual(
GroupPermission.Member
);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.update_user");
expect(res.status).toEqual(401);
});
it("should require admin", async () => {
const user = await buildUser();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
// Add the user to the group
const admin = await buildAdmin({
teamId: user.teamId,
});
await buildGroupUser({
groupId: group.id,
userId: anotherUser.id,
createdById: admin.id,
});
// Try to update as non-admin
const res = await server.post("/api/groups.update_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
permission: GroupPermission.Admin,
},
});
expect(res.status).toEqual(403);
});
it("should 404 if user is not in group", async () => {
const user = await buildAdmin();
const anotherUser = await buildUser({
teamId: user.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.update_user", user, {
body: {
id: group.id,
userId: anotherUser.id,
permission: GroupPermission.Admin,
},
});
expect(res.status).toEqual(404);
});
});
Reference in New Issue View Git Blame Copy Permalink